Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pragmatic XML security Hans Granqvist, ApacheCon 2005.

Published byNickolas Cox Modified over 9 years ago

Similar presentations

Presentation on theme: "Pragmatic XML security Hans Granqvist, ApacheCon 2005."— Presentation transcript:

1 Pragmatic XML security Hans Granqvist, ApacheCon 2005

2 2 Agenda + XML Basics ▪ Schemas, namespaces + XML security ▪ Keys, certificates ▪ Signatures, encryption + Apache TSIK ▪ Origins, status ▪ WSS4J, XML Security + Coding examples ▪ Utility classes ▪ Signing ▪ Encryption ▪ Graphs and Actions + Future directions ▪ Key Management, WS-* ▪ SAML ▪ Identities

3 3 XML Basics

4 4 Quick XML recap Welcome to ApacheCon 2005! Element Attribute Namespace declaration Schema Default namespace

5 5 XML Security

6 6 XML security + Same issues as any old security problem ▪ Integrity, confidentiality, authentication + Solved in the same way ▪ Keys, certificates + Specifications ▪ Key management, Encryption, Signature + Web services ▪ SOAP envelope, headers, body + SOAP security ▪ Not further discussed here!

7 7 Apache TSIK

8 8 Origins, status + In Apache incubation since August 2005 ▪ http://incubator.apache.org/tsik + Closed source 2000-2004 ▪ Basis of several products ▪ XML firewalls, PKI lifecycle management, Multi-factor authentication + Security ▪ XML signature, encryption, Pkcs#7 streaming, Key management ▪ WS-Security, WS-* + Utility classes ▪ DOM, XPath, SOAP + Addons, plugins ▪ Plug-in SOAP implementation ▪ Add-on XML messaging

9 9 XML Security, ws.apache.org + Apache XMLSecurity ▪ XML signature and XML encryption + ws.apache.org ▪ Aims at implementing existing WS* standards ▪ An umbrella for several sub projects ▪ Axis filters + Apache TSIK ▪ Toolkit model – Single JAR ▪ Philosophy: – Simplify security usage as much as possible – Make it hard to commit security mistakes

10 10 Projects comparison Simplicity of use Completeness TSIK ws.apache.org xmlsec

11 11 Code examples

12 12 What we'll look at + DOM cursors ▪ Simplified Document Object Model interface ▪ Traverse, get info, create elements, move around, copy sub-trees – Avoids DOM API, interface level, or implementation differences – All DOM namespaces automatically handled and kept in context + XPaths ▪ Simplified XPath interface used in all APIs + Signing + Encryption + Trust + Graphs and Actions

13 13 DOM cursors + Reads and writes + Element-oriented ▪ No "mixed content" (text and element siblings). + Intended for structured data ▪ Not for human written or free-form documents ▪ Access to text nodes only provided via parent element + No low-level DOM access ▪ Not for implementing XPath, XSLT or C14N + Manipulates three node types: elements, attributes and text ▪ Other node types ignored and preserved

14 14 org.apache.tsik.domutil // creating // DOMCursor c = new DOMCursor(document | element | node); DOMCursor cloneCursor() // clones cursor, not DOM // inquiring // boolean atTop() boolean atElement(uri, name) boolean contains(otherCursor) XPath createXPath( | relativeToOtherCursor) String getAttribute([String uri,] String localName) // traversing // boolean moveTo[Child|Sibling](int index) boolean moveTo[Child|Sibling](String uri, String localName) // (cont.)

15 15 org.apache.tsik.domutil // traversing (cont.) // boolean moveToDescendant(String uri, String localName, boolean includeSelf) boolean moveToTop() boolean moveToParent() boolean moveToXPath(XPath xpath) // Write cursors // DOMWriteCursor wc = new DOMWriteCursor(); // writing // add[Before|Under](String uri, String prefix, String name) copy[Before|Over|Under](DomCursor copyFrom) move[Before|Over|Under](DomCursor moveFrom)

16 16 XPath + XPath is a W3C language for addressing parts of an XML document ▪ Non-XML syntax ▪ Pattern matching + Examples ▪ /this/that/ns:theother ▪ //*[@id='b1'] + TSIK XPaths encapsulate a W3C XPath expression and namespaces that relate to the expression + Used in TSIK packages to reference nodes

17 17 org.apache.tsik.xpath // create // XPath(String expr) XPath(String expr, Map namespaces) // prefix->uri XPath(String expr, String[] namespaces) // prefix, uri // create from id('idValue') // static XPath fromID(String idValue) // create from #xpointer(xpath), #idValue // static XPath fromXPointer(String xpointer) static XPath fromXPointer(String xpointer, Map namespaces)

18 18 Signing and Verifying + Sign and verify a W3C XML Digital Signature + RSA, DSA, HMAC, hardware keys ▪ X.509 certificate chains, KeyInfos or raw keys + Use XPath expressions for locations in a document + Multiple signatures ▪ As well as signatures with multiple references + Sign in place or return new document + Verify signatures with ▪ Verification key supplied in the document, or ▪ User-supplied key

19 19 Sign with org.apache.tsik.xmlsig // Sign a document. Implicitly tell it to add the // public verification key to output. // Signer s = new Signer(document, privateKey, publicKey); // Supply two locations to be signed. // XPath loc1 = new XPath("id('someID')"); s.addReference(loc1); XPath loc2 = new XPath("/some/element"); s.addReference(loc2); // Specify a location where we want the // resulting signature to be placed. // XPath output = new XPath("/"); Document d = s.sign(output);

20 20 Verify with org.apache.tsik.xmlsig // Specify signature location String ns[] = {"ds", "http://www.w3.org/2000/09/xmldsig#"}; XPath signatureLocation = new XPath("//ds:Signature", ns); // Verify using key contained in document Verifier v = new Verifier(doc, signatureLocation); boolean isVerified = v.verify(); // Verify using specified key Verifier v = new Verifier(doc, signatureLocation); RSAPublicKey verifyingKey = [some public key]; boolean isVerified = v.verify(verifyingKey); // Make sure signature is over what we expect XPath loc = new XPath("/some/element"); boolean b = v.isReferenced(loc);

21 21 Trust Verifier + Verifies trust of public keys and certificates. + Use as is or as plug-in/adapter ▪ Used in TSIK messaging ( org.apache.tsik.addon.messaging ) + Verify based on a given collection of trusted keys and certificates. + Chain verifiers to perform multiple checks ▪ For example all must pass, or one must pass + Automatic caching for expensive verifications ▪ For example XKMS, CRL

22 22 org.apache.tsik.verifier // Get the certificate(s) from the verifier // X509Certificate[] chain = v.getCertificateChain(); // Use an X.509 trust verifier with trusted certs // ArrayList list = new ArrayList(); list.add(...); X509TrustVerifier trustVerifier = new X509TrustVerifier(list); trustVerifier.verifyTrust(chain); // We can also use a CRL trust verifier. Specify which // entities we accept as signers on the CRL and verify. // CRLTrustVerifier ctv = new CRLTrustVerifier(); list.add(...); ctv.addCRLsigners(list); ctv.verifyTrust(chain);

23 23 Encrypting and decrypting + Encrypt and decrypt according to W3C standard ▪ Key and data encryption + Supports element and element content encryption + Uses XPath expressions for all locations in a document + Encrypt/Decrypt in place or return new document

24 24 Encrypt with org.apache.tsik.xmlenc // Create an Encryptor on the document Encryptor e = new Encryptor(doc, key, AlgorithmType.TRIPLEDES); // create an XPath expression with the namespaces we need String[] ns = {"a", "urn:some-uri", "b", "urn:some-other-uri"}; XPath xpath = new XPath("/a:foo/b:bar", ns); // Encrypt in place according to xpath e.encryptInPlace(xpath); This is some text.... <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">...

25 25 Decrypt with org.apache.tsik.xmlenc <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">... // Create a Decryptor on the doc, specify the location of the // encrypted data. // String[] ns = {"a", "urn:some-uri", "xenc", "http://www.w3.org/2001/04/xmlenc#"}; XPath xpath = new XPath("/foo:a/xenc:EncryptedData", ns); Decryptor d = new Decryptor(d, key, xpath); // Decrypt the document in place // d.decryptInPlace();

26 26 Graphs and Actions + Graphs ▪ Policy derived [to be done] ▪ Executable dependency chains – Chains of independent Actions + Actions ▪ Atomic building blocks – no dependencies to other Actions ▪ Either: reads or writes to a DOM (or both) ▪ Or: maps or re-maps values + A number of pre-packaged actions and graphs ▪ Now: Mainly used for WS-* ▪ org.apache.tsik.wsp.Action and org.apache.tsik.wsp.DependencyGraph

27 27 Future directions

28 28 TSIK future + Collaboration with other Apache projects ▪ Overlap, re-use, commons + Key Management, WS-* ▪ Dozens of standards + (Federated) Identities ▪ Liberty ▪ SAML ▪ InfoCard ▪ Non-XML? + Roadmap still being decided ▪ Driven by developers! ▪ http://incubator.apache.org/tsik

29 Thanks! Questions? Hans Granqvist

Download ppt "Pragmatic XML security Hans Granqvist, ApacheCon 2005."

Similar presentations

XML Signature 2.0. Timelines 2002 – XML Signature 1.0 2007 – XML Signature 1.0, 2 nd edition –Adds support for Canonicalization 2009 end – XML Signature.

XML Signature 2.0. Timelines 2002 – XML Signature – XML Signature 1.0, 2 nd edition –Adds support for Canonicalization 2009 end – XML Signature.
Advanced XSLT II. Iteration in XSLT we sometimes wish to apply the same transform to a set of nodes we iterate through a node set the node set is defined.

Advanced XSLT II. Iteration in XSLT we sometimes wish to apply the same transform to a set of nodes we iterate through a node set the node set is defined.
XML: Extensible Markup Language

XML: Extensible Markup Language
95-733 Internet Technologies1 1 Lecture 4: Programming with XSLT.

Internet Technologies1 1 Lecture 4: Programming with XSLT.
SOAP.

SOAP.
W3C XML Schema: what you might not know (and might or might not like!) Noah Mendelsohn Distinguished Engineer IBM Corp. October 10, 2002.

W3C XML Schema: what you might not know (and might or might not like!) Noah Mendelsohn Distinguished Engineer IBM Corp. October 10, 2002.
Web Service Security CS409 Application Services Even Semester 2007.

Web Service Security CS409 Application Services Even Semester 2007.
XML Encryption Prabath Siriwardena Director, Security Architecture.

XML Encryption Prabath Siriwardena Director, Security Architecture.
Using Multi-Encryption to Provide Secure and Controlled Access to XML Documents Tomasz Müldner, Jodrey School of Computer Science, Acadia University, Wolfville,

Using Multi-Encryption to Provide Secure and Controlled Access to XML Documents Tomasz Müldner, Jodrey School of Computer Science, Acadia University, Wolfville,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1/4722 January 2003Secure XML XML Security Donald E. Eastlake, III

1/4722 January 2003Secure XML XML Security Donald E. Eastlake, III
More XML XML schema, XPATH, XSLT CS 431 – February 21, 2005 Carl Lagoze – Cornell University acknowledgements to

More XML XML schema, XPATH, XSLT CS 431 – February 21, 2005 Carl Lagoze – Cornell University acknowledgements to
XML Security in IODEF INCH WG, IETF56 March 19, 2003 Yuri Demchenko.

XML Security in IODEF INCH WG, IETF56 March 19, 2003 Yuri Demchenko.
Cornell CS 502 More XML XML schema, XPATH, XSLT CS 502 – 20020214 Carl Lagoze – Cornell University.

Cornell CS 502 More XML XML schema, XPATH, XSLT CS 502 – Carl Lagoze – Cornell University.
September 15, 2003Houssam Haitof1 XSL Transformation Houssam Haitof.

September 15, 2003Houssam Haitof1 XSL Transformation Houssam Haitof.
Web services security I

Web services security I
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Similar presentations

Ads by Google